“It is incredibly important to get past the hype about the cloud,” Tombe said during a session at the Cloud and Virtualization Conference and Expo Sept. 9 in Washington, D.C. The conference was sponsored by 1105 Media Inc., parent company of Government Computer News.

Agency managers have to do their homework and bring themselves up to speed with which cloud capabilities will realistically work within their organizations, Tombe said.

1. Have serious talks with the vendors. CBP is focusing on a hybrid approach to cloud computing, implementing a private cloud for mission-critical applications and hosting its public-facing website with a cloud provider. CBP’s Office of International Trade is working with partners to host a collaborative site in the cloud, Tombe said.

There are applications that are easy wins moving to the cloud, such as e-mail and collaboration tools, he said. However, when it comes to “your custom-generated applications, you really want to have a number of conversations with various cloud vendors,” Tombe said. “Those will be enlightening.”

2. Define "cloud." Ask the vendors for their definition of the cloud, Tombe said; he noted they will probably ask you what your definition is.

CBP adheres to the National Institute of Standards and Technology’s definition. Cloud computing provides on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or interaction from the service provider.

3. Focus on the SLA. Next ask vendors about their service-level agreements. If they can’t ensure they will work for no outages or downtime for maintenance or upgrades within the SLA, find another vendor.

Closely scrutinize their security controls and certification: Are they compliant with Federal Information Security Management Act at the low, moderate or high security levels? Most agencies with mission critical data will want the high level of security, he said.

4. Think about the problem resolution process. Find out what are the vendors’ monitoring capabilities and what visibility will they give you into your applications. If they don’t want to give you any visibility, walk away, Tombe said. Another important aspect to focus on is a vendor's capabilities for problem resolution. Will it take weeks? That doesn’t align with a cloud environment, which is supposed to be agile, he noted.

“Here is the key part: Take everything that works and all your requirements and put them in your contract,” Tombe said. Enter into a performance-based contract that rewards vendors for doing great and punishes them for failure.

The need for business-centric, service-level agreements was a theme that ran through the key presentations given earlier in the day by Bajinder Paul, deputy associate administrator with the General Services Administration’s Office of Citizen Services and Innovative Technologies. Having the right service-level agreements is critical for cloud computing, Paul said, noting that he expects his service providers to give hard numbers so he can verify that they are meeting their objectives.

“At the end of the day nothing works more powerfully than financial incentives,” Paul said.